Many networked computational resources such as computers, storage devices, switches, routers, and the like are vulnerable to distributed denial of service (DDOS) attacks. Such an attack typically involves a large number of remotely controlled computers that are used to deluge a target computer with an excessive amount of information. This information usually takes the form of specially crafted Internet Protocol (IP) packets that trigger a flood of packets at the target. The sheer number of such requests overwhelms the target's ability to respond, effectively removing it from service by preventing it from doing anything else. Compounding this problem is the fact that damage from such DDOS attacks is not limited to the target itself. Rather, attacks are also capable of overwhelming any networked device in the path leading to the target.
A typical DDOS attack is characterized by a sudden increase, or burst, in traffic volume, i.e. an increase in the rate (often measured in packets per second or bytes per second) at which information is transferred across a network to the target computer. As this attack is often made up of packets or other information arriving from a finite number of different attacking computers, one method of blocking DDOS attacks relies upon determining the sources of an attack and blocking information from these sources. However, it is often difficult to differentiate between benign information sent from computers not involved in a DDOS attack, and information sent as part of the attack itself. While one reliable approach for accomplishing such differentiation involves scanning the content of all information received, such an approach can involve a prohibitive amount of computational resources, especially during periods of high network traffic. It is therefore desirable to develop a method for partitioning information into categories based on whether it is involved in a DDOS attack, without scanning the content of the information received.
The ability to tell the difference between legitimate information and a DDOS attack is made more difficult by the fact that sources of network information may change over time, as some computers stop transmitting information to the target and others begin. It is therefore also desirable to develop a method for partitioning information that adapts to changes in the number and identity of computers transmitting information.